Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") supplements and forms an integral part of the Terms of Service ("Agreement") between Ovvoc ("Processor," "we," "us," or "our") and the entity or individual accepting the Agreement ("Controller," "Customer," "you," or "your"). This DPA applies to the extent that Ovvoc processes Personal Data on behalf of the Customer in the course of providing the Service.

The Customer acts as the Controller of Personal Data, and Ovvoc acts as the Processor, within the meaning of the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR") and any applicable national implementing legislation. This DPA is entered into pursuant to Article 28 of the GDPR and sets forth the parties' obligations with respect to the processing and security of Personal Data in connection with the Service.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to the processing of Personal Data. All capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below:

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, as defined in Article 4(2) of the GDPR.
• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) of the GDPR.
• "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller, as defined in Article 4(8) of the GDPR.
• "Data Subject" means an identified or identifiable natural person to whom the Personal Data relates.
• "Subprocessor" means any third-party Processor engaged by Ovvoc to assist in fulfilling its obligations with respect to the Processing of Personal Data under this DPA and the Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.

3. Scope of Processing

The scope, nature, and purpose of the Processing, the types of Personal Data processed, and the categories of Data Subjects are as follows:

3.1 Nature and Purpose of Processing

Ovvoc processes Personal Data solely for the purpose of providing the automated dependency update Service as described in the Agreement. This includes cloning Customer repositories, analyzing dependency configurations, executing build and test processes within ephemeral containers, generating code transformations, opening pull requests, and providing dashboard and notification functionality. Processing is carried out by automated means and is strictly limited to what is necessary for the performance of the Service.

3.2 Types of Personal Data

The following categories of Personal Data may be processed in connection with the Service:

• GitHub usernames and profile identifiers
• Email addresses (for authentication, notifications, and account management)
• IP addresses (for security, rate limiting, and abuse prevention)
• Repository metadata (repository names, branch names, commit hashes, file paths)
• Code authorship information (commit author names and email addresses present in repository history)
• Authentication tokens (encrypted, short-lived, used exclusively for repository access)
• Usage data (login timestamps, feature interactions, job execution history)

3.3 Categories of Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA include:

• Customer employees and authorized users who access the Service
• Customer contractors and consultants with access to connected repositories
• Third-party contributors whose identifying information appears in repository metadata, commit history, or code comments within repositories connected to the Service

3.4 Duration of Processing

Processing shall continue for the duration of the Agreement between the parties, unless terminated earlier in accordance with Section 11 of this DPA. Upon termination, Ovvoc shall delete or return all Personal Data in accordance with the provisions set forth in Section 11.

4. Obligations of the Processor

Ovvoc, as the Processor, undertakes the following obligations in connection with the Processing of Personal Data:

4.1 Processing on Documented Instructions

Ovvoc shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which Ovvoc is subject. In such a case, Ovvoc shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's instructions are documented in this DPA and the Agreement; any additional or alternative instructions require the Controller's prior written consent.

4.2 Confidentiality

Ovvoc shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of the individual's engagement with Ovvoc. Ovvoc shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Service.

4.3 Security Measures

Ovvoc shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in detail in Section 5 of this DPA and shall be reviewed and updated as necessary to address evolving threats and technological developments.

4.4 Subprocessor Management

Ovvoc shall not engage another Processor (Subprocessor) without prior specific or general written authorization of the Controller. In the case of general written authorization, Ovvoc shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Controller the opportunity to object to such changes, as described in Section 6 of this DPA.

4.5 Assistance with Data Subject Rights

Ovvoc shall assist the Controller, taking into account the nature of the Processing, by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection).

4.6 Assistance with Compliance Obligations

Ovvoc shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the Processing and the information available to Ovvoc. This includes assistance with security of Processing, notification of Personal Data breaches, data protection impact assessments, and prior consultation with supervisory authorities, as applicable.

4.7 Data Deletion or Return

At the choice of the Controller, Ovvoc shall delete or return all Personal Data to the Controller after the end of the provision of the Service, and shall delete existing copies unless European Union or Member State law requires storage of the Personal Data. The specific timelines for deletion are set forth in Section 11 of this DPA.

4.8 Audit Information

Ovvoc shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as described in Section 10 of this DPA.

5. Security Measures (Technical and Organizational)

In accordance with Article 32 of the GDPR, Ovvoc implements and maintains the following technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage:

5.1 Encryption

• Data in transit: All data transmitted between the Customer and Ovvoc is encrypted using Transport Layer Security (TLS) version 1.2 or higher. All internal service-to-service communications are similarly encrypted.
• Data at rest: Sensitive data, including authentication tokens, API keys, and private registry credentials, is encrypted at rest using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). Database connections are encrypted using TLS.

5.2 Access Control

• Role-based access control (RBAC): Access to systems and data is granted on a least-privilege basis, with permissions assigned according to role requirements.
• Multi-factor authentication: Multi-factor authentication is required for all administrative access to production systems and infrastructure.
• Authentication: Customer authentication is secured through JWT tokens with 15-minute expiry, refresh token rotation, HttpOnly/Secure/SameSite cookies, and brute-force protection.

5.3 Container Isolation

• All dependency update jobs execute within ephemeral Docker containers that are created for a single job and destroyed immediately upon completion or failure.
• Containers are subject to strict resource limits (CPU, memory, disk, and execution time) and run within gVisor sandboxes in production environments.
• Customer code is never persisted beyond the lifetime of the ephemeral container.

5.4 Network Segmentation

• Ephemeral containers operate with outbound-only network access, restricted to package registries and source code hosting platforms.
• Internal services communicate through private networks with firewall rules enforcing least-privilege connectivity.

5.5 Logging and Monitoring

• All access to systems containing Personal Data is logged with timestamps, actor identifiers, and action descriptions.
• Automated alerting is configured for suspicious activity, unauthorized access attempts, and security anomalies.
• Logs are retained for a period sufficient to support incident investigation and regulatory compliance.

5.6 Incident Response

• Ovvoc maintains a documented incident response plan covering detection, triage, containment, remediation, and post-mortem analysis.
• Incident response procedures are tested and updated periodically.

5.7 Personnel Security

• All personnel with access to Personal Data are bound by confidentiality obligations.
• Access to production systems is reviewed regularly and revoked promptly upon role change or termination.

5.8 Business Continuity

• Database backups are performed regularly and stored in encrypted form.
• Disaster recovery procedures are documented and tested to ensure timely restoration of service.

6. Subprocessors

6.1 Current Subprocessors

The Controller hereby grants general written authorization for Ovvoc to engage the following Subprocessors. The current list of Subprocessors is as follows:

6.2 Prior Written Consent

Ovvoc shall notify the Controller in writing (via email to the address associated with the Controller's account) at least 30 days prior to engaging any new Subprocessor or replacing an existing Subprocessor. The notification shall include the identity of the proposed Subprocessor, its location, and the nature of the Processing to be performed.

6.3 Objection Right

The Controller may object to the appointment of a new or replacement Subprocessor within 30 days of receiving notice. The objection must be in writing and must state reasonable grounds relating to data protection. If the Controller objects, Ovvoc shall use commercially reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable alternative. If Ovvoc is unable to accommodate the Controller's objection, either party may terminate the Agreement with respect to the affected Service by providing written notice.

6.4 Subprocessor Obligations

Where Ovvoc engages a Subprocessor, Ovvoc shall: (a) impose on the Subprocessor, by way of a written contract, data protection obligations no less onerous than those set out in this DPA; (b) remain fully liable to the Controller for the performance of the Subprocessor's obligations; and (c) ensure that the Subprocessor provides sufficient guarantees to implement appropriate technical and organizational measures in accordance with the GDPR.

7. Data Subject Rights

Ovvoc shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including the rights of access, rectification, erasure, restriction of Processing, data portability, and objection.

Where a Data Subject contacts Ovvoc directly with a request concerning their Personal Data, Ovvoc shall promptly redirect the Data Subject to the Controller and notify the Controller of the request without undue delay. Ovvoc shall not respond to a Data Subject request directly unless expressly authorized to do so by the Controller.

Ovvoc shall respond to the Controller's instructions regarding Data Subject requests within 10 business days of receiving the Controller's documented instruction. Ovvoc shall provide the Controller with such technical and organizational assistance as is reasonably necessary to enable the Controller to comply with its obligations under Articles 15 through 22 of the GDPR.

8. Data Breach Notification

8.1 Notification Timeline

Ovvoc shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach, as defined in Article 4(12) of the GDPR. Notification shall be made to the email address associated with the Controller's account and, where available, through the Service dashboard.

8.2 Content of Notification

The breach notification shall include, to the extent reasonably ascertainable at the time of notification:

• A description of the nature of the Personal Data breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned
• The name and contact details of the data protection officer or other contact point from whom more information can be obtained
• A description of the likely consequences of the Personal Data breach
• A description of the measures taken or proposed to be taken to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects

Where it is not possible to provide all information simultaneously, the information may be provided in phases without undue further delay. Ovvoc shall document all facts relating to the Personal Data breach, its effects, and the remedial actions taken.

8.3 Cooperation with Supervisory Authority

Ovvoc shall cooperate with the Controller and provide reasonable assistance in connection with any investigation by a supervisory authority or any notification to Data Subjects required under Articles 33 and 34 of the GDPR. Ovvoc shall not notify any supervisory authority or Data Subject directly unless required by applicable law or expressly instructed to do so by the Controller.

9. International Transfers

Ovvoc shall not transfer Personal Data to a country outside the European Economic Area ("EEA") unless adequate safeguards are in place in accordance with Chapter V of the GDPR. Where such transfers are necessary for the provision of the Service (including transfers to Subprocessors located outside the EEA), Ovvoc shall ensure that one or more of the following transfer mechanisms are in place:

• Standard Contractual Clauses: The Standard Contractual Clauses as approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914 are hereby incorporated by reference into this DPA and shall apply to any transfer of Personal Data to a third country that has not been recognized by the European Commission as providing an adequate level of data protection.
• Supplementary Measures: Where required by applicable law or guidance from supervisory authorities, Ovvoc shall implement supplementary technical and organizational measures (such as encryption in transit and at rest, pseudonymization, and access controls) to ensure that the transferred Personal Data is afforded a level of protection that is essentially equivalent to that guaranteed within the EEA.
• Adequacy Decisions: Where the European Commission has issued an adequacy decision pursuant to Article 45 of the GDPR with respect to the recipient country, transfers may be made on the basis of such adequacy decision without the need for additional safeguards.

The Controller acknowledges that certain Subprocessors listed in Section 6 are located in the United States and that transfers to such Subprocessors are subject to the safeguards described in this Section.

10. Audit Rights

The Controller shall have the right to audit Ovvoc's compliance with this DPA, subject to the following conditions:

• Frequency: The Controller may conduct or commission an audit no more than once per calendar year, unless a Personal Data breach has occurred or a supervisory authority requires an additional audit.
• Notice: The Controller shall provide Ovvoc with at least 30 days' prior written notice of any proposed audit, specifying the scope and duration of the audit.
• Scope: Audits shall be limited to Ovvoc's facilities, systems, and processes relevant to the Processing of Personal Data under this DPA, and shall be conducted during normal business hours with minimal disruption to Ovvoc's operations.
• Remote Audit: Where feasible, Ovvoc may offer a remote audit option, providing the Controller with access to relevant documentation, certifications, and summaries of independent third-party audit reports in lieu of an on-site inspection.
• Third-Party Audit Reports: Ovvoc may satisfy audit requests by providing the Controller with copies of relevant third-party audit reports or certifications (such as SOC 2 Type II reports), provided that such reports are current and cover the areas relevant to the Controller's audit request.
• Costs: The Controller shall bear the costs of any audit it initiates, except where the audit reveals a material breach of this DPA by Ovvoc, in which case Ovvoc shall bear the reasonable costs of the audit.
• Confidentiality: Any information disclosed during an audit shall be treated as Confidential Information and shall be subject to the confidentiality provisions of the Agreement.

11. Term and Termination

11.1 Term

This DPA shall remain in effect for the duration of the Agreement. The DPA is co-terminous with the Agreement and shall automatically terminate upon the termination or expiration of the Agreement, subject to the data deletion obligations set forth below.

11.2 Data Deletion

Upon termination or expiration of the Agreement, Ovvoc shall, at the Controller's election, either delete or return all Personal Data processed under this DPA within 30 days of the effective date of termination. The Controller may request the return of Personal Data in a commonly used, machine-readable format. If the Controller does not provide instructions within 30 days of termination, Ovvoc shall delete all Personal Data.

11.3 Certification of Destruction

Upon completion of the deletion of Personal Data, Ovvoc shall provide the Controller, upon written request, with a written certification confirming that all Personal Data has been deleted in accordance with the requirements of this DPA. Notwithstanding the foregoing, Ovvoc may retain Personal Data to the extent required by applicable European Union or Member State law, provided that Ovvoc ensures the confidentiality of such Personal Data and processes it solely for the purposes required by such law.

12. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, shall be subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for damages resulting from its breach of the GDPR to the extent that such limitation is prohibited by applicable law.

13. Contact

For any questions, requests, or concerns relating to this Data Processing Agreement, the processing of Personal Data, or the exercise of rights under the GDPR, please contact us at [email protected].

For general legal inquiries, please refer to our Terms of Service and Privacy Policy.